Syntaxiserror in updatecommand
-
Why is it that when i use the updatecommand als below, i get the error: Syntaxiserror (operator missing) in query-expression daAgent.UpdateCommand.CommandText = ("Update Agent" & _ " SET Nummer_Naam = " & agentNummerNaam & _ ", Agentnummer = " & txtAgentNummer.Text & _ ", Agentnaam = " & txtAgentNaam.Text & _ " WHERE(Agentnummer = " & agentNummerOud & ")") daAgent.UpdateCommand.Connection.Open() daAgent.UpdateCommand.ExecuteReader() daAgent.UpdateCommand.Connection.Close()
-
Why is it that when i use the updatecommand als below, i get the error: Syntaxiserror (operator missing) in query-expression daAgent.UpdateCommand.CommandText = ("Update Agent" & _ " SET Nummer_Naam = " & agentNummerNaam & _ ", Agentnummer = " & txtAgentNummer.Text & _ ", Agentnaam = " & txtAgentNaam.Text & _ " WHERE(Agentnummer = " & agentNummerOud & ")") daAgent.UpdateCommand.Connection.Open() daAgent.UpdateCommand.ExecuteReader() daAgent.UpdateCommand.Connection.Close()
Your code is susceptable to SQL Injection Attack. Please read SQL Injection Attacks and Tips on How to Prevent Them[^]. You use
ExecuteReader. But you don't get any information back. You shouldExecuteNonQuery()when you don't expect a result set. You are allowing unvalidated and unsanitised user input directly into the SQL Statement. It is highly possible that this dirty information is causing problems for your SQL Statement. The advice given in SQL Injection Attacks and Tips on How to Prevent Them[^] will help you generate a safe SQL command that will be protected against that sort of error when caused by user input.
Upcoming events: * Glasgow: SQL Server 2005 - XML and XML Query Plans, Mock Objects, SQL Server Reporting Services... Never write for other people. Write for yourself, because you have a passion for it. -- Marc Clifton My website